Technical Field
The present application relates to a hardware non deterministic random byte generator, and more generally to random bit generation.
Description of the Related Art
As electronic data interchange (EDI) and digital communication usage is continuously expanding, securing such digital exchanges has become essential. Encryption technology typically is used to ensure communication security between distant devices. For example, digital signature algorithms are widely used for authenticating digital files. An essential need for data encryption is the generation of random numbers.
Encryption is used in particular in the industry of mailing systems. Mailing systems typically include a postage security device (PSD) for managing the postage funds in a secure manner. One of the main functions of the PSD is to ensure the security of the communication of the mailing system, especially with the postal authorities. Some critical security requirements are defined by postal authorities. Cryptographic methods are used to ensure the communication security, and are based on the generation of cryptographic keys, which require the generation of random numbers.
In the digital world, the generation of random numbers consists in the generation of random bits. Two types of random number generation are distinguished. The first type is a non deterministic random bit generator (NRBG), which is a random bit generator employing an entropy source. An entropy source produces an output of random bits that has full entropy. The entropy source includes a physical noise source (e.g., thermal noise or hard drive seek times), health tests, and an optional conditioning stage. Ideally, to say that a bit string provides full entropy would imply that it was selected uniformly at random from the set of bit strings having all the same length, in which case, each bit in the string would be uniformly distributed (i.e., equally likely to be 0 or 1) and statistically independent of the other bits in the string. However, for practical applications, the distribution uniformity and the statistical independence would be accepted within some limits. For example, the NIST SP 800-90B standard specifies that a N-bit string is said to provide full entropy if it is obtained through a process that is estimated to provide at least (1−E)×N bits of entropy, where: 0<E<2 exponent (−64). For NIST SP 800-90B, such strings are an acceptable approximation to the ideal.
The second type of random number generation is a deterministic random bit generator (DRBG). A DRBG is a random bit generator that employs a DRBG mechanism (or algorithm) and a source of entropy input. A DRBG produces a pseudorandom sequence of bits from an initial secret value called a seed (and, perhaps additional input). A DRBG is often called a pseudorandom bit (or number) generator.
Previously, postal authorities imposed security standards typically covered by the FIPS specifications, which allowed simpler methods for generating random bits. The seed could be generated by a random bit generator, which did not have to be strictly a NRBG. The initial seed could be provided to the PSD at the manufacturer's premises before shipment of the PSD to the customer. Then, a DRBG embedded in the PSD could generate random bits for the whole life of the PSD.
Recently, some postal authorities have decided that an initial seeding was not sufficient to ensure the security of the communication, and they have specified that reseeding is required on a regular basis. One way to meet this requirement is to include an entropy source within each PSD.